From bc34a8082cc1a8ffc0d9ec8a10f337f916e5a128 Mon Sep 17 00:00:00 2001
From: Dominik George <dominik.george@teckids.org>
Date: Mon, 8 Feb 2021 00:42:23 +0100
Subject: [PATCH] Fail early if LDAP fails authentication

This has to happen to not allow authentication with passwords of ghost
users.
---
 aleksis/core/util/ldap.py | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/aleksis/core/util/ldap.py b/aleksis/core/util/ldap.py
index 031e582e7..5a17cbbb5 100644
--- a/aleksis/core/util/ldap.py
+++ b/aleksis/core/util/ldap.py
@@ -1,5 +1,7 @@
 """Utilities and extensions for django_auth_ldap."""
 
+from django.core.exceptions import PermissionDenied
+
 from django_auth_ldap.backend import LDAPBackend as _LDAPBackend
 
 
@@ -20,13 +22,13 @@ class LDAPBackend(_LDAPBackend):
         """
         user = ldap_user.authenticate(password)
 
+        if not user:
+            # Fail early and do not try other backends
+            raise PermissionDenied("LDAP failed to authenticate user")
+
         if self.settings.SET_USABLE_PASSWORD:
-            if user:
-                # Set a usable password so users can change their LDAP password
-                user.set_password(password)
-            else:
-                # Disable local password if authentication fails
-                user.set_unusable_password()
+            # Set a usable password so users can change their LDAP password
+            user.set_password(password)
             user.save()
 
         return user
-- 
GitLab